We live in a culture of fast and freely exchanged personal and corporate information, and as individuals and professionals we have become dependent on the immediate delivery of information. But the danger of having all this information at our fingertips is the difficulty of keeping it secure—and safe from criminals.
There have been close to eight hundred million confirmed cybersecurity breaches since 2005, according to the Identity Theft Resource Center, a U.S. nonprofit organization. You don’t want your firm to be the next American Express, Home Depot, or Target. Consumers trusted these companies and assumed they had taken the appropriate steps to protect their information. And they were badly disappointed.
These massive companies are able to survive shocking breaches, but for the average small business, the outcome of a security breach can be much worse. Some 60% of small businesses fail within six months of a cybersecurity breach. Consider for a moment the impact such a breach could have on your business. Would your business and your reputation survive?
While the cyber-perils for small business continue to escalate, advisors face an even higher risk than average. Last year, the the financial services industry was the second-most-breached sector, with 22% being attacked, according to a study done by NetDiligence. A Horsesmouth study earlier this year also uncovered some unnerving statistics:
- 52% of advisors’ clients had suffered fraud
- 41% of advisors admitted suffering from fraud
- 89% of advisors worry about increased vulnerability to cyberfraud for themselves and their clients
Everybody is worried about the issue, from consumer credit card users to CIOs of the biggest corporations. Advisors, too, are worried. Yet in my last article about hard drive encryption, I referenced a 2014 study that found many brokerages failed to detect a cyber breach despite their best efforts. Criminals are clever and no firewall or security system is beyond compromise. If, despite your best efforts, you don’t immediately catch a breach, it can lead to you and your firm’s worst nightmare.
What liabilities would you face after a breach?
What are the liabilities you might face from your firm, regulators, and clients? Your liability to your firm depends on the firm’s specific policies and procedures.
The regulators, as we know, are interested in your firm’s policies, process, and procedures regarding prevention and resolution in the event of a security breach. Their guidelines focus on an end-to-end risk management solution. They want to see prevention, resolution, and maintenance.
Regulators are concerned that you have plans for managing the fallout once a breach is detected. If you do not have such a process, you and your firm could also be subject to additional regulatory action by FINRA and other regulatory bodies and possibly regulatory fines/penalties. Regulators expect fires to happen, but you had better have a fire drill and damage control procedures in place.
Your clients could potentially sue you and your firm for negligence, breach of contract, injury, or harm. Nonetheless, you would be responsible for reporting the breach to the appropriate parties. You would be responsible for the associated breach costs including, but not limited to, notification letters, credit monitoring, potential compensatory damages to clients, regulatory defense, fines/penalties, legal defense, forensics investigation, public relations, and so on.
Needless to say, it’s a costly situation.
So, what if the worst happens? How can you protect your financial practice and your customers’ information in the event of a cybersecurity breach?
Everyone is talking about cybersecurity insurance
Have you thought about cybersecurity insurance? It’s only been on the regulatory radar since 2010, but has recently seen a surge of interest due to our increasing vulnerability. FINRA suggests you evaluate how it might fit into your cybersecurity strategy. The SEC, as well, makes mention of considering insurance in its April 2015 Cybersecurity Guidance Update. And the NAIC notes that increasing attacks mean cyber-liability insurance is a fast-growing market.
Even the Department of Homeland Security is taking part in the cybersecurity insurance discussion. I would be remiss if I didn’t mention one additional regulator, the Federal Financial Institutions Examination Council, which prescribes standards for financial institutions; the FFIEC recently published a Cybersecurity Assessment Tool, good through the end of the year, that can help you identify gaps in your cybersecurity preparedness.
While cybersecurity insurance may sound odd today, as we head into the increasingly connected digital future, this type of insurance may become the new normal for professionals and consumers alike. Heck, if you can insure yourself against a runaway bride, losing at fantasy football, or multiple births (and you can!), surely you can secure yourself against cybercrimes.
Be insurable: Get basic cybersecurity in place
Most carriers who offer cybersecurity insurance require a certain level of basic cybersecurity to qualify for coverage. The insurance company will usually recommend a third party to assess whether you meet the current cybersecurity standard to be insurable, and then make recommendations based on their findings. After the initial assessment, please be aware that your policy will probably require your vigilance about future updates.
Virtually any policy is going to require that all your desktops and laptops be ‘Opal compliant.’ How will you know if a hard drive is Opal compliant? The easiest way is to verify that it was manufactured in 2007 or more recently.
Opal compliance was adopted as the industry standard for hard drive security back in 2007. Opal-based SEDs, or self-encrypting drives, instantaneously encrypt information as you use your computer. As you may imagine, all it takes is one hard drive made before 2007 to become the weak link in your office that may void your cybersecurity coverage and put your office at risk.
Not only that, but if employees work outside the office on tablets or personal computers, or use flash drives to transfer information, these items also would compromise your office security—and probably would not be covered by your policy if lost, stolen, or compromised.
Where can you purchase Cybersecurity Insurance coverage?
Big insurance companies from AIG to Zurich are now offering cybersecurity insurance, and if you do a search, you will find many smaller insurers that specialize in cybersecurity coverage. Of course, the magic question is: How do you or your firm determine the right coverage? The best advice is to seek the counsel of a cybersecurity insurance specialist. Let the expert look at your business and create a policy for you, and then make your decision.
What should my cybersecurity insurance policy cover?
When considering what kind of policy is right for your practice, here are some areas of coverage you may want to ask about:
- Data breach coverage. Provides protection against the unauthorized release of Personally Identifiable Information (PII), Protected Health Information (PHI), and corporate confidential information.
- Privacy liability. Some policies will protect compromised information that may not fit State or Federal-specific definitions of PII or PHI.
- Data restoration coverage. Will your coverage upgrade your system and make it whole after a breach?
- Business interruption. What happens if you lose days or weeks of operation?
- Regulatory actions. Will your policy cover the costs of a regulatory investigation or a regulatory action resulting from a cyber incident?
- Litigation/enforcement proceedings.
- Network security coverage. This may include coverage against allegations of a ‘security wrongful act’ such as failing to prevent phishing that results in damage to a client’s data, or failure to prevent unauthorized use of your computer system, or failure to prevent malicious code going from your computer to a client’s computer.
- Cyber extortion liability. What if a harmful third party is threatening to infect your system, for example with malicious code, or to destroy or disseminate confidential information?
- Multimedia liability.
- Monetary impact recovery.
- First and third-party coverage. You want a policy that covers not only damage to you and your company, but liabilities you may owe clients or regulators, for instance if a suit arises in the wake of a data breach.
What is the average cost of Cybersecurity Insurance coverage?
If you scour the web, it is very hard to pin down the actual cost for cybersecurity insurance coverage. Christine Marciano, a cybersecurity insurance expert and president of Cyber Data Risk Managers, was able to provide some estimates that would be pertinent to advisors. Christine has been in the financial services industry for over 18 years and additionally is a member of the International Association of Privacy Professionals.
She said underwriters consider many factors to determine the cost for cybersecurity insurance premiums such as industry, revenue, data classifications, security policies, and the procedures the business has in place.
So how much will you have to spend? Christine offered the following examples as a guideline. (These premiums are based on a Lloyd’s of London program active at this time; others will vary.)
|Annual Premium* for Cybersecurity Insurance|
||Policy liability limit
Source: Christine Marciano, President of Cyber Data Risk Managers; *These premiums, based on a Lloyd’s of London program, were valid at time of publication, but are subject to change.
Hypothetically, if you are an advisor with $50 Million in AUM, and charge an average fee of 2% per year, your gross revenue will be $1 Million. Based on these variables, the minimum annual cybersecurity insurance policy premium will be $1,500 per year. Your new insurance will cost about the same as the daily refreshment of a Starbucks Venti Caramel Frappuccino at $4.25. Small price to pay for protection in what may very well be your business’s darkest hour.
Fraud never sleeps—Prevention, resolution, and maintenance
These days, the biggest struggle with cybersecurity is among individual, small, and mid-tier firms with limited knowledge, resources, and time, who are just now realizing their vulnerability to cybercrime. Don’t make the mistake of thinking it won’t happen to you. Don’t neglect this critical need—don’t wait until after you have been attacked. Hopefully, this article will charge you with the desire to prepare for the perfect storm—because it’s coming.